http://seattlepi.nwsource.com/business/279432_software31.html By TODD BISHOP P-I REPORTER July 31, 2006 Microsoft engineers will detail new security approaches in Windows Vista at an important tech conference later this week. But when it comes to grabbing attention, it won't be easy for them to top another session at the conference. Its title: "Subverting Vista Kernel For Fun And Profit." No, this is not your ordinary industry confab. In a first for Microsoft, the company will present at the Black Hat Briefings -- an annual gathering in Las Vegas where hackers, researchers, government officials and corporate technology specialists unveil and analyze emerging computer security threats. Microsoft's full day of sessions on Windows Vista reflects its effort to improve security in the upcoming operating system and cut down on the bugs that have made previous versions of its flagship program notoriously vulnerable to online attacks. The company will be showing the audience some of the key changes it has made in Windows Vista security, and seeking feedback from researchers on where it could still improve, said Stephen Toulouse, security program manager with Microsoft's Security Response Center. Toulouse called it an extension of Microsoft's ongoing interaction with security researchers. Among other things, the company has held a series of its own events with researchers. "We want people to look at our assumptions and challenge them if they think they're wrong," he said. "At the same time, we want to show them that we've listened to the feedback they've provided us over the past several years. That's really what the presentations focus on." For conference organizers, one original appeal was the timeliness, with Windows Vista scheduled to come out in the fall, said Black Hat Briefings Director Jeff Moss, the Seattle-based security expert who founded the conference. Microsoft has since delayed Windows Vista's retail debut until early next year. "It doesn't have quite the impact that it was going to have if it was right before the release," Moss said. "But I still think it's really important, because this is the next generation, and these are the people who helped design it." The conference is expected to draw about 3,000 people. It doesn't promise to be an easy crowd for the company, but Moss said Microsoft's efforts to improve security in recent years have improved its standing. "I think in the past they would have been more ridiculed, but they seem to be following through on their statements" about security, Moss said. "They made some pretty bold statements, but they've been backing it up with a lot of money and a lot of effort, a lot of energy." Windows Vista is the first version of the PC operating system to be developed entirely under the "Trustworthy Computing" initiative that Bill Gates launched in early 2002, after a series of high-profile vulnerabilities in Microsoft programs. The company says it has overhauled its process of developing software to emphasize security. In addition, Windows Vista will come with a series of new technical approaches and designs to protect against malicious programs such as viruses and spyware, which can otherwise install and run on a computer undetected. "We want it to be the most secure version of Windows ever, and the security researchers are going to help us do that," Microsoft's Toulouse said. Microsoft cautions that it won't be possible to completely thwart online threats, given the complexity of software development and the changing tactics of attackers. And other experts say that the level of security in Vista won't be clear until it's released and widely used. "You won't know until it's out there," said Bruce Schneier, chief technical officer at Counterpane Internet Security. "Is the code better quality? Will there be fewer vulnerabilities? Who knows? ... They're doing this, they're doing that. Did they do it right? Who knows?" Schneier described Black Hat as "a very hostile Microsoft audience." But he said it's critical for Microsoft to take part in such events, to get feedback that can help secure its products. "They have to engage the hacker community -- they can't ignore them," Schneier said. "I think they deserve a lot of credit for it, because it's hard." Black Hat is commonly called a hacker convention, but that word often doesn't have the negative connotations in technology circles that it does in popular culture -- instead referring to someone who modifies a system or finds ways to infiltrate computer programs, but not necessarily with malicious intent. The phrase "black hat" describes a criminal or malevolent hacker, but its use in the conference name refers to the subject of the sessions, not the attendees or speakers. "We're briefing on what the black hats are up to," Moss explained. Many of the researchers who attend Black Hat practice what's known as responsible disclosure, giving companies such as Microsoft a chance to patch flaws before details of the problem are public. The "Subverting Vista Kernel For Fun And Profit" session is about a technology called Blue Pill, developed by security researcher Joanna Rutkowska of Singapore-based security firm COSEINC. Rutkowska says she has come up with a way to insert "undetectable" malicious code into the Vista kernel -- the place that controls the interaction between hardware and software -- by taking advantage of technology that essentially divides a computer system so it can run multiple operating systems. Despite the title of the session, Rutkowska said in an e-mail that she won't be providing the level of detail that would let someone subvert the Vista kernel on their own, if they weren't already able to figure it out. She said she hopes to spur the industry and processor vendors to try to mitigate the threat, and she noted that nothing about Windows Vista makes it more susceptible than other operating systems to a Blue Pill attack. But past Black Hat Briefings haven't been without controversy. Last year, Cisco Systems went to court seeking an injunction after a researcher, over its objections, gave a presentation at Black Hat on a way to exploit a flaw in Cisco's router software. At the same time, in the world of hacker conventions, Black Hat traditionally has more corporate involvement and a less renegade reputation than Def Con -- a gathering in Las Vegas immediately after Black Hat that accepts only cash for admission, to avoid having any records that could be subpoenaed. Moss, who sold Black Hat to CMP Media last year, runs Def Con independently. Microsoft isn't scheduled to present at Def Con, although Toulouse said people from the company will attend. BLACK HAT BRIEFINGS Microsoft will be putting Windows Vista under the scrutiny of hackers, researchers and other computer security experts Thursday at the Black Hat Briefings in Las Vegas. Coming up this week in the Seattle P-I: Wednesday: A detailed look at Microsoft's new security initiatives in Windows Vista, and its remaining challenges, on the eve of the company's Black Hat presentations. Friday: From Las Vegas, coverage of Microsoft's Black Hat appearance. SeattlePI.com: Follow the news from Black Hat starting Wednesday at Todd Bishop's Microsoft Blog. Software Notebook is a Monday feature by P-I reporter Todd Bishop. He can be reached at 206-448-8221 or toddbishop [at] seattlepi.com _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 31 2006 - 00:43:46 PDT